Restrict login based on IP-address

Do you know if there is a plugin that will allow me to allow/reject login based on users ip? We have a fairly locked down installation and would like to allow some user-groups (customers) to only login from a specific ip-range (customer networks).

Cheers!

/Christian

2 answers

the easiest way without generating firewall rules is by setting up some allowed IPs inside your vhost config.

but this will block all communication before your unwanted clients reach the application itself so jira is not going to deny/allow any ip-range but apache will do so...

which is indeed an ugly solution cause you need to modify manually each time you get new customers..

also if your customers know how to send requests using a different outgoing ip these settings will be bypassed in less than a second.

0 votes

No, there's nothing in the application.

That's the right approach actually, because you really want to reject users well before they reach the application - you would be far better off doing this in your firewalls

(There is a valid grumble here that you're wasting your time because it's a doddle to bypass IP based security, but that's for you to take up with your security people. Ideally getting better ones if tey seriously think this is a useful way to do security)

Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:

  • A user at Customer A switching employer to Customer B still accessing A's issues through his old account. (Yes, his A-account should be terminated asap, but there might be a long time before we know that the user has changed firms)
  • A company account is sniffed and used from a Customer vpn (all our on-site personel use two factor authentification to logon to our company vpn from wich they can access jira)

We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack.

We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query?

Tank you for your reply! Maybe I should elaborate a bit. Our customers access jira from dedicated vpn-tunnels, there is no public access to our jira. The scenarios we're trying to avoid is:

  • A user at Customer A switching employer to Customer B still accessing A's issues through his old account. (Yes, his A-account should be terminated asap, but there might be a long time before we know that the user has changed firms)
  • A company account is sniffed and used from a Customer vpn (all our on-site personel use two factor authentification to logon to our company vpn from wich they can access jira)

We have a way of doing this, but it is a bit of a plugin-hack that a former security officer wipped up. It's now in the way of a jira upgrade so I'm investigating alternative ways of achieving this rather than maintaining the hack.

We run jira behind apache, would it be possible to somehow have apache block access based on the content of the login form post query?

you mean something like "http(s)://yourJirahost/secure/Dashboard.jspa" ?

this can be restricted as well

note that there are 2 ways that can be used for login

second is http(s)://yourJirahost/login.jsp

you do this by adding restrictions for Locations (e.g. like)

<Location /crowd/>
        Order deny,allow
        Allow from someIP
        Deny from All
</Location>

I'd first see if the plugin hack cannot be easily used on a newer version of jira.

Afterwards, a wrapper comes to mind that you login against. If you pass the conditions in the wrapper you could redirect them to the actual Jira. One would have to find out however how exactly Jira authenticates users. On the dashboard I see a submit to the current page (Dashboard.jsp) while there also is login.jsp etc.

You seem smart enough to find another hack ;-)

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,755 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot